One way of preventing groups leaking is to set up filters on the group
addresses at the border routers of the region. This is
implemented inside of the mrouted release, but is not terribly
well-known. A group of addresses are defined as being
administratively scoped, and when they reach the borders of the region
they are blocked from going outside. Similarly, packets using the
same group address in the outside world cannot leak inside (?).